noon
no ordinary object notation
14
Versions
Unlicense
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
monsterkodi
Keywords
noonobjectnotation
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:js/noon.js | AI (source-diff): File is koffee-compiled JavaScript (header says '// koffee 0.43.0'). Long lines are static string literals (CLI help text), not obfuscation. Stable for this package. | ai | |
| source-diff | obfuscated-file:js/parse.js | AI (source-diff): File is koffee-compiled JavaScript (header says '// koffee 0.43.0'). Readable, structured code with normal patterns. Not obfuscated. | ai | |
| source-diff | obfuscated-file:js/stringify.js | AI (source-diff): File is koffee-compiled JavaScript (header says '// koffee 0.56.0'). Readable, structured code with normal patterns. Not obfuscated. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase is due to adding pre-compiled koffee/JS output files to the package distribution. Legitimate build artifact addition. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): The require() call uses a static string literal argument for CLI help text, not a dynamic variable. False positive for this package. | ai |